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ABSTRACT 

One  of  the  recent  generalizations  of  (t,  n)  secret  sharing  for  hierarchical  threshold  access  structures  is 
given  by  Tassa,  where  he  answers  the  natural  question  of  sharing  a  secret  among  a  set  of  participants,  say 
military  officers,  so  that  the  secret  can  be  constructed  by  a  group  of  participants,  some  of  whom  are 
hierarchically  superior  to  others.  Both  recent  schemes  proposed  by  Tassa  for  addressing  this  problem 
require  some  significant  amount  of  theoretical  background.  We  give  a  conceptually  simpler  alternative  for 
the  understanding  of  the  realization  of  hierarchical  threshold  access  structures  and  we  consider  perfectness 
of  our  scheme  with  the  help  of  computer  experiments.  Our  simple  scheme  employs  a  slightly  different 
approach  than  previous  works,  as  it  involves  a  certain  distribution  of  polynomials,  where  members  of 
higher  compartments  are  given  a  summation  of  evaluations  of  higher  number  of  polynomials,  resulting  in 
a  hierarchical  effect.  We  further  consider  some  alternative  hierarchical  access  structures  having  potential 
to  be  applied  in  military.  The  access  structures  that  we  consider  are  realized  herein  with  a  simple 
employment  of  the  well  known  building  blocks  such  as  Lagrange  interpolation  and  access  structure 
product  and  can  be  realized  with  an  information  rate  at  worst  1/m. 

1.0  INTRODUCTION 

The  foundation  of  secret  sharing  is  assumed  to  start  with  Shamir  [1]  and  Blakley  [2]  who  independently 
introduced  t-out-of-n ,  or  simply  (t,n)  secret  sharing  schemes  (SSS)  that  allow  a  set  of  at  least  t  participants 
to  recover  a  secret  while  any  t-1  or  less  participants  fail  in  such  an  attempt.  A  secret  sharing  scheme  is 
called  perfect  if  a  non-authorized  participant  set  can  learn  no  information  about  secret,  while  an  authorized 
set  recovers  the  secret.  Simmons  [3]  introduced  generalizations  of  (t,n)  secret  sharing,  namely  hierarchical 
and  compartmented  threshold  secret  sharing.  In  these  multipartite  approaches,  the  trust  is  not  distributed 

uniformly  among  the  set  of  participants.  Letting  U=  [J  _^Ci  be  the  set  of  participants  which  is  partitioned 

into  m  disjoint  subsets  of  compartments  C . ,  1  <  i  <  m,  a  multipartite  access  structure  T  e  2U  is  one  that 
does  not  distinguish  between  members  of  the  same  compartment.  It  is  reasonable  to  assume  that  access 
structures  are  monotone,  i.e.,  if  A  e  T  and  A<^  B  cE  ,  then  B  e  T  .  A  well  known  measure  of  efficiency 
for  SSS's  is  the  notion  of  information  rate ,  which  is  concerned  with  the  size  of  the  private  data  (shares  of 
participants)  used  for  sharing  a  secret  of  certain  size.  A  secret  sharing  scheme  is  called  ideal  if  the  domain 
of  shares  of  each  user  equals  to  the  domain  of  secrets,  yielding  to  an  information  rate  1.  An  access 
structure  T  is  ideal  if  for  some  finite  domain  of  shares,  there  exists  an  ideal  secret  sharing  scheme 
realizing  it. 

Hierarchical  access  structures  that  admit  an  ideal  secret  sharing  scheme  are  characterized  within  a  unified 
framework  in  [9].  There  are  three  main  types  of  ""hierarchy-involved"  access  structures  in  literature.  Those 
are,  in  chronological  order,  Shamir's  weighted  threshold  access  structures  [1],  Simmons'  hierarchical 
access  structures  [3]  which  answer  the  question  of  solving  a  secret  by  either  two  vice  presidents  or  three 
bank  tellers  (where  a  vice  president  can  always  replace  a  bank  teller)  and  Tassa's  hierarchical  threshold 
access  structures  [4]  raising  an  answer  to  the  problem  of  sharing  a  secret  among  three  employees,  say 
again  composed  of  vice  presidents  and  bank  tellers,  at  least  two  of  which  is  a  vice  president.  The  main 
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difference  among  the  last  two  structures  is  that  the  former  is  a  disjunction  of  different  compartments 
representing  distinct  hierarchy  levels,  whereas  the  latter  is  a  conjunction  of  such  compartments.  Both 
definitions  consider  the  case  where  some  of  the  participants  are  hierarchically  superior  to  others.  The 

Um 

^  C.  be  the  set  of  participants 

with  disjoint  compartments  C.  ,  1  <  i  <  m , 


r={VcW;  \v n ( U Wj ) |  > k,  v* e  { 1, . . . , m}}  (i) 

j=l 

Under  the  same  assumptions  of  above  definition,  the  former  hierarchical  access  structure  that  is  studied  by 
Simmons  is  as  follows. 

i 

r  =  {V  C  U,3i  e  {1,  •  ■  -  ,m}  :  |V  n  (|J  M,) |  >  (2) 

3  =  1 

Previous  Work.  Besides  proposing  such  hierarchical  threshold  access  structures,  Tassa  gave  an  ideal  SSS 
for  their  realizing  in  [4].  To  reconstruct  the  secret,  he  used  Birkhoff  interpolation  using  some  derivative 
values  of  a  polynomial.  This  approach  took  attention  and  found  place  in  recent  applications,  an  example  of 
which  is  employment  in  ad  hoc  networks  [10].  Birkhoff  interpolation  is  performed  in  a  setting  that  the 
given  values  of  the  unknown  polynomial,  P(x),  also  include  derivative  values.  Specifically,  participants 
from  level  Q,  1  <  i  <  m  receive  the  value  of  the  ti_ith  derivative  (t0=0)  of  P  at  the  point  that  identifies  them. 
Allowing  participants  from  higher  levels  have  shares  such  as  derivatives  of  P  of  lower  orders,  naturally  let 
shares  of  such  participants  carry  more  information  on  the  coefficients  of  P  than  shares  of  participants  from 
lower  levels.  Later  on,  Tassa  and  Dyn  [5]  proposed  another  scheme  for  threshold  access  structures,  which 
demands  calculation  of  tm  restrictions  of  a  bivariate  polynomial  to  a  line  each  of  which  is  followed  by  a 
univariate  Lagrange  interpolation.  We  would  like  to  note  that  the  aforementioned  works  [4], [5]  and  the 
modified  scheme  we  give  herein  are  ideal  and  linear  in  the  sense  of  Brickell's  [7]. 

The  reconstruction  phase  of  a  linear  SSS  in  essence  corresponds  to  solving  some  linear  system.  For  a 
random  allocation  of  participant  identities,  the  hierarchical  schemes  in  [4]  and  [5]  and  ours  are  perfect  in  a 
probabilistic  manner.  That  is,  when  the  underlying  field  F  is  large  enough,  the  probability  that  an 
authorized  set  not  being  able  to  reconstruct  the  secret  together  with  the  probability  that  a  non -authorized 
set  reconstructs  the  secret  is  negligible. 

Our  Strategy.  The  only  two  schemes  for  hierarchical  threshold  access  structures  [4]  and  [5]  apply 
Birkhoff  interpolation  and  subsequent  univariate  Lagrange  interpolation  respectively.  In  the  very  essence, 
both  methods  correspond  to  solving  a  linear  system  of  equations  at  the  end.  Instead  of  applying  any  kind 
of  interpolation  techniques,  we  present  a  scheme  that  directly  leads  us  again  to  a  linear  system  of 
equations.  Letting  m  to  represent  the  number  of  compartments,  we  give  summation  of  evaluations  of  m 
polynomials  at  some  public  points  to  the  highest  compartment  in  the  hierarchy,  summation  of  evaluations 
of  m-1  polynomials  in  the  second  highest  level,  and  continuing  this  manner,  evaluation  of  only  1 
polynomial  to  the  lowest  compartment  of  the  hierarchy.  They  are  combined  in  a  manner  that  participants 
from  the  highest  levels  can  always  replace  the  lower-leveled  ones  whereas  the  converse  does  not  hold. 

Organization  of  the  Paper.  After  introducing  some  preliminaries  in  section  2,  we  give  our  ideal  scheme 
for  hierarchical  threshold  access  structures  in  section  3,  where  an  example  together  with  a  table  of 
experimental  results  is  included.  In  section  4,  we  consider  how  Lagrange  interpolation  and  access  structure 
product  can  be  employed  to  obtain  a  variety  of  alternative  hierarchical  access  structures.  We  conclude 
with  some  remarks  on  section  5. 
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2.0  PRELIMINARIES 

ILSSS.  In  an  ideal  linear  secret  sharing  scheme(ILSSS)  over  a  finite  field  F,  the  domain  of  secrets  is  equal 
to  F  (so  that  the  scheme  is  ideal)  and  the  scheme  is  specified  by  n+1  vectors  in  Fd  where  d  is  an  integer. 
Such  vectors  are  as  follows.  The  dealer  uses  a  vector  Ui  for  each  participant  Ui  belonging  to  U,  1  <  i  <  n  , 
and  a  vector  t  which  is  kept  private.  To  share  a  secret  SeF,  the  dealer  chooses  a  random  vector  weF1 
such  that  the  inner  product  w.t=S  and  distribute  each  share  w.Ui  to  participant  Ui. 

Shamir’s  SSS.  The  basic  linear  scheme  proposed  by  Shamir  [1],  makes  use  of  Lagrange's  polynomial 
interpolation.  The  scheme  works  as  follows:  Let  q  be  a  large  prime  and  S  e  F^be  the  secret  to  be  shared. 

t-  i 

The  dealer  chooses  a  random  univariate  polynomial  f(x)=S+'^a.xl  e  Fq  of  degree  t-1  where  the  constant 

i= 1 

term  is  the  secret.  In  order  to  distribute  S  among  n  participants  given  by  ui,...,un  assign  to  the  j-th 

t-i 

participant  the  share  f(uj)=S+  ^  aiu,j ,  1  <  j  <n. 

i= 1 


While  the  reconstruction  of  the  secret  can  be  described  by  a  formula  resulting  from  Lagrange's  polynomial 
interpolation,  a  linear  algebra  point  of  view  heads  us  towards  the  following  linear  system  that  the 
authorized  subset  of  participants  {  ut , ut  },  1  <  ix  < ...  <  it  <  n  must  solve. 

f  1  «ii  -  -  ■  u-”1  ^ 

V 1  uu  ■■■  uL_1  / 


Qq 


LaC-l 


// K)' 
\/0O. 


As  pointed  out  by  Shamir  himself  in  [1],  a  hierarchical  variant  can  be  introduced  simply  by  assigning  a 
higher  number  of  shares  to  higher  level  participants.  However  such  a  solution  is  far  away  from  being  ideal. 
While  Shamir's  SSS,  having  a  Vandermonde  matrix  on  its  basis,  enjoys  the  property  of  reconstructibility 
of  the  secret  with  probability  exactly  1,  by  an  authorized  subset,  as  mentioned  earlier,  the  schemes  given 
in  [4], [5]  and  the  scheme  we  propose  in  the  next  section  claims  this  property  with  a  probability  merely 
close  to  1  depending  on  the  field  size  and  some  constants. 

Linear  SSS's  (LSSS)  are  widely  studied  under  the  notion  of  monotone  span  programs  (MSP).  Formally,  a 
MSP  is  a  5-tuple  M=(F,M,U,  (p  ,t),  where  F  is  a  field,  M  is  a  matrix  of  dimensions  dxe  over  F, 
U={ui,...,un}  is  a  finite  set,  (p  :  { l,...,d}  — ►  U  is  a  surjective  function  assigning  each  row  to  a  participant  in 
U,  and  te  F6  is  the  so-called  target  vector.  Participants  are  said  to  own  or  privately  hold  one  or  more 
certain  row(s)  of  M.  The  MSP  M  is  said  to  realize  (compute)  the  monotone  access  structure  F  in  case  that 
t  is  spanned  by  the  rows  of  the  matrix  Mv  if  and  only  if  V  e  F ,  where  Mv  is  the  matrix  whose  rows  are 
formed  by  participants  of  the  set  VeU.  The  size  of  M  is  d,  the  number  of  rows  of  M.  Indeed,  the  size  of 
the  MSP  is  the  total  number  of  shares  that  are  distributed  to  all  participants  in  U. 

Now  giving  share  Si  to  participant  cp  (i),  we  can  identify  an  LSSS  with  its  underlying  MSP.  It  is  known, 
due  to  [6],  that  every  monotone  access  structure  admits  a  secret  sharing  scheme,  but  it  is  often  the  case  that 
shares  must  be  larger  than  the  secret. 

If  r  is  a  monotone  access  structure  realizing  U,  its  dual  F  *  =  { V  :  Vc  £  F  }  is  also  monotone  and  if  M  is 
an  MSP  that  realizes  F  ,  then  its  dual  M*  of  the  same  size  as  M  exits  and  realizes  the  dual  access  structure 
r*.  m*  can  be  efficiently  constructed  as  described  in  [8].  An  access  structure  is  ideal  if  and  only  if  its  dual 
is.  Given  two  monotone  access  structures  F  i  and  F  2  defined  on  sets  of  participants  Ui  and  U2 
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respectively,  one  can  define  the  product  Y  i  x  T  2  as  the  monotone  access  structure  defined  on  UiUU2 
such  that  for  any  V  c=  Ui  U  U2  it  holds  that  VGr1xr2<^>(VnUi  eY  x  and  V  n  U2  e  T  2) 

The  following  is  a  well-known  realization  of  the  product  Y  i  x  T  2. 

Lemma  1.  IfMSPs  Mi  am/  M2  with  matrices  M1=(c1  Mf)  and  M2=(c2  Mf)  ( where  Cj  and  c2  are  the  first 
columns  of  the  matrices )  and  target  vectors  1=(1,0,...,0)  realize  the  access  structures  Y  /  and  Y  2 
respectively ,  then  the  matrix 

{  Cl  0  M'  0  \ 

\  0  <*  0  Mo  i 

realizes  Y  ix  T  2with  target  vector  (1,1,0, 

The  reason  that  the  first  columns  of  the  matrices  Miand  M2  has  been  taken  out  is  to  simply  be  able  to  use 
the  target  vector  (1,1,0,...,0).  One  can  directly  employ  matrices  Miand  M2  without  separating  their  first 
columns  Ci  and  c2  as  long  as  a  target  vector  such  as  (1,0,...,0,1,0,...,0)  is  used.  Note  that  the  definition  of 
product  of  two  access  structures,  Y  i  x  Y  2,  and  lemma  1  can  naturally  be  extended  to  r2x...x  Tk 
in  a  straightforward  manner. 

Lemma  2.  Given  MSPs  Mj  and  M2  realizing  access  structures  T  /  and  Y  2  defined  on  sets  Ui  and  U2 
respectively , 

i)  if  Mi  and  M2  are  ideal  and  U )  and  U2  are  disjoint  sets,  then  Mi  x  M2  is  also  ideal. 

ii)  if  Mi  and  M2  are  perfect,  so  is  Mi  xM2. 

Proof.  If  Mi  and  M2  are  ideal,  participants  from  Y  i  and  Y  2  own  one  and  only  one  row  apiece  in  the 
corresponding  matrices  Mi  and  M2,  respectively.  Let  the  reconstruction  matrix  of  Y  i  x  Y  2  be  Mix2.  Then 
participants  of  Y  i  x  Y  2  will  obviously  own  one  row  in  Mix2  as  well,  since  no  participant  who  is  both  in 
Ui  and  U2  exists.  Similarly  if  Mi  and  M2  are  perfect,  determinants  IMil  and  IM2I  will  be  nonzero  for  every 
possible  sets  of  authorized  participants  in  Y  i  and  Y  2  respectively,  yielding  to  a  nonzero  determinant 
IMix2MMiI.IM2I. 


3.0  THE  MODIFIED  SCHEME 

To  extract  the  allowance  of  maximum  number  of  participants  from  each  compartment  while  recalling  (1), 

m 

define  ti=ki-ki_i,  1  <  i  <  m (assume  k0=0).  Observe  that  ^jti  =  km  .  Now  the  following  describes  a  SSS  to 

/=i 

realize  (1),  namely  hierarchical  threshold  access  structures. 

Secret  sharing  scheme  1. 

1.  The  dealer  generates  m  random  polynomials  P*(;r)  =  xf  1  <  i  <  m 

so  that  =  t*  and  the  secret  S  = 

2.  Each  participant  from  compartment  Ci  will  be  identified  by  a  unique 
public  point  s  ^ ,  a ^  ^  0 ^  0,  where  no  two  participant  Is  given 
the  same  Xij  or  value.  The  private  share  of  the  participant  c-ij  will  be 
QiOtf,  yn )  =  JZZi  Vij  pt  ixa )  ■ 

£ 

In  step  2,  the  purpose  of  multiplying  the  polynomials  PiGa)  with  V% i  in  the  bivariate  polynomial  Qt  is 
simply  to  prevent  the  occurrence  of  identical  columns  in  the  reconstruction  matrix  so  that  the  determinant 
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does  not  turn  out  to  be  zero  (we  will  consider  the  importance  of  determinant  in  the  proof  of  theorem  1).  In 
the  reconstruction  phase,  we  let  the  rows  of  participants  from  higher  compartments  involve  more  variables 
by  such  a  distribution  of  polynomials.  In  more  detail,  the  row  given  to  members  of  compartment  Q 

m 

involves  a  summation  of  all  polynomials  Pt(x ),  hence  involving  variables.  Similarly,  the  row  given 

i= 1 
m 

to  members  of  compartment  C2  involves  ^jti  variables,  whereas  the  polynomial  corresponding  to  the 

i= 2 

lowest  level  compartment  Cm  involves  only  tm  variables.  This  decreasing  number  of  variables  constitutes 
the  main  idea  that  produces  a  hierarchical  effect.  Obviously,  the  scheme  is  ideal  as  the  shares  of 
participants  are  taken  from  the  domain  of  secrets  F.  Observe  that  the  problem  of  recovering  the  secret  in 
the  above  scheme  is  equivalent  to  solving  the  whole  system,  that  is,  there  is  no  easy  shortcut  of  obtaining 
only  the  polynomial  coefficients  an,  i=l,...,m  that  sum  up  to  the  secret  S. 

Theorem  1.  An  authorized  set  VET  may  recover  the  secret  S  with  a  probability  bounded  by  l-lkmdq1 
where  m  is  the  number  of  compartments,  km  is  the  order  of  the  reconstruction  matrix,  q  is  the  size  of  the 
field  and  d  is  the  degree  of  the  variables  in  det(M). 

Proof.  We  apply  techniques  in  analogy  with  the  ones  used  in  the  proofs  of  [5].  Notice  that  the 
reconstruction  matrix  M  is  km  x  km  where  km=ti+...+tm.  Consider  the  equation  M.A=Q  where  M  is  the 
reconstruction  matrix  formed  by  an  authorized  set  of  participants,  A=(an  ...  a]/(  a2i  ...  a  2  .  .  .  am]  ...  am/  )t 

is  the  vector  of  unknowns  involving  the  secret  and  Q  is  the  vector  formed  by  private  shares  of  participants. 
Employing  basic  linear  algebra,  we  know  that  such  an  equation  has  a  unique  solution  if  and  only  if 
det(M)  ^  0.  That  is,  the  probability  that  an  authorized  set  can  reconstruct  the  secret  equals  to  the 
probability  of  det(M)  ^  0  where  M  is  their  corresponding  reconstruction  matrix.  Since  the  values  Xy  and 
yij  in  the  reconstruction  matrix  are  random,  the  determinant  is  a  random  value  over  F.  So  the  idea  is  that, 
the  larger  the  underlying  field  F  gets,  the  smaller  the  probability  that  the  reconstruction  matrix  has 
determinant  zero.  And  if  the  determinant  is  nonzero,  then  it  is  obvious  that  one  can  find  its  inverse  and 
solve  the  unknown  vector  together  with  the  secret  embedded  therein.  Observe  that  there  are  two  distinct 
variables  in  each  of  the  km  rows.  So  considering  the  expansion  of  M,  we  see  that  det(M)  is  a  nonzero 
polynomial  of  2km  variables  over  the  finite  field  F,  where  the  highest  degree  of  the  variables  in  det(M)  can 
be  expressed  as  d  =  max(ti),  1  <  i  <  m.  Now  applying  lemma  2.2  of  [4],  we  see  that  the  number  of  zeros  of 

det(M)  in  Flk,n  is  bounded  by  2 kmdq2k'n~l .  Indeed,  these  are  all  the  choices  that  make  det(M)=0  among  all 
possible  q2k,n  selections  of  the  2 km  variables.  So  the  probability  that  det(M)=0  is  bounded  by 
2  kmdq2k^  q~2k’ ■  =  2 kmdqx . 

Observe  that  the  distribution  of  entries  of  a  reconstruction  matrix  M  is  similar  to  that  of  an  upper 
triangular  matrix.  The  reconstruction  matrix  employed  in  the  proof  of  theorem  4  in  [4]  also  has  a 
triangular  structure  which  seems  to  be  rather  in  lower  triangular-like  form.  Indeed  this  triangularity  is  the 
main  specialty  that  gives  a  scheme  characteristics  of  a  hierarchical  threshold  secret  sharing.  For  a  random 
allocation  of  participant  identities,  with  a  high  probability  depending  on  the  size  of  the  field  F,  scheme  1 
perfectly  realizes  (1)  as  in  the  case  of  the  corresponding  scheme  given  in  [4].  However,  perfectness  with 
probability  1  under  a  monotone  allocation  of  participant  identities  provided  in  [4]  is  not  satisfied  in 
scheme  1. 

Example  1.  Let  m=3  be  the  number  of  compartments  where,  ki=2,  k2=5,  k3=8  yielding  polynomials 
Pi(x),P2(x),P3(x)  of  degrees  respectively  ti=2,  t2=3,  t3=3.  Finally,  let  Si=2,  s2=4,s3=2  be  the  number  of 
participants  from  compartments  Ci,  C2,  C3  respectively.  Then  M  is  of  the  form; 
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We  leave  the  fulfillment  of  polynomials  and  arbitrary  parameters  of  the  scheme  to  the  reader.  We  provide 
an  extensive  table  of  probabilistic  results  regarding  secret  sharing  scheme  1  with  assistance  of  a  computer 
algebra  system  [11]  where  results  in  each  of  the  entries  are  obtained  by  105  experiments  with  distinct 
random  allocation  of  x^  and  values. 


Table  1 :  Success  Rates  of  Reconstructibility  of  the  Secret 


ki ,  U  f  1  <  i  <  ra 

Si,  1  <  i  <  m 

q=101 

q=  100003 

*i  =  2,  k2  =  5,  k3=0 

si  =  4,  s2  =  4,  S3  =  1 

impl:  M.9876 

impl:  0.9999 

(ti  =2,ti  =  3,(3  =  4) 

si  =  2,  S2  =  3,  S3  =  4 

impl:  0.9039 

impl:  11.9998 

si  =  9,  s2  =  0,  S3  =  0 

impl:  l.l. 9867 

impl:  0.9999 

theo:  0.2872 

theo:  0.9993 

k\  =  1,  &2  =  4*  &3  =  11},  ki  =  23 

si  =  4,  S2  =  2,  S3  =  8,  S4  =  9 

impl:  11.8668 

impl:  0.9995 

((l  =  l.(2  =  3, *3  =  6,(4  =  13) 

si  =  1,82  =  5,  S3  =  12,  S4  =  5 

impl:  11.8441 

impl:  11.9992 

si  =  23,  s2  =  0,  S3  =  0,  S4  =  0 

impl:  0.96S0 

impl:  0.9999 

theo:Q.Q 

theo:  0.9940 

Observe  that  all  the  experimental  results  (impl.)  in  table  1  are  greater  than  theretical  bounds  (theo.) 
obtained  by  the  formula  according  to  theorem  1 .  It  can  also  be  seen  that,  for  artificially  small  values  of  q, 
the  given  bound  is  loose  and  sometimes  it  does  not  provide  any  information.  Even  in  these  cases,  our 
modified  scheme  yields  quite  acceptable  results  for  small  m  values.  As  q— >oo,  the  aforementioned 
probabilities  get  closer  to  1.  Indeed,  as  lq  values  increase,  higher  q  values  will  be  needed  to  keep  the 
probability  of  the  success  rate  constant.  The  table,  considering  some  extreme  cases,  also  visualizes  the  fact 
that  the  distribution  of  Si  values  1  <  i  <  m  affects  the  experimental  probabilistic  results. 


4.0  (C,M)  HIERARCHICAL  ACCESS  STRUCTURES 
4.1  Motivation  and  The  Scheme 

Let  us  first  recall  hierarchical  threshold  access  structures  introduced  in  [4].  Let  U=  [J  ,_Ui  be  the  set  of 

participants  with  m  disjoint  levels,  i.e.,i  Ui  f!  Uj  =  0,  1  <i<j<m  and  let  kj ,  be  a  sequence  of  integers 
with  0<ki<. .  .<km.  Then  the  corresponding  hierarchical  threshold  access  structure  is 

r  =  {VcU-.  |Vn(u5=1Mj)|  >kt  Vie  (1) 


Under  the  same  assumptions  of  the  above  definition,  the  former  hierarchical  access  structure  that  is 
studied  by  Simmons  is  as  follows. 
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r  =  {V  C  U,  3 i  E  {1, . .  .  ,m}  :  |V  0  (uJ=1Wj)|  >  A^}  (2) 

Observe  that  the  only  difference  in  (2)  is  the  replacement  of  the  universal  quantifier  V  with  the  existential 

quantifier 3  .  If  we  identify  the  requirement  lv' n  (u)=i^j)\  -  h  as  the  threshold  condition  to  be  satisfied  by 
levels  Uj,  j  <i  yielding  m  conditions,  then  the  distinction  among  (1)  and  (2)  is  that  while  Simmons'  version 
exploits  a  disjunction  of  threshold  conditions,  Tassa's  definition  involves  a  conjunction  of  such  conditions. 
Letting  the  c  be  the  threshold  number  for  conditions  to  be  satisfied  among  m,  the  definitions  above 
describe  access  structures  that  either  demand  the  presence  of  exactly  one  of  such  conditions  (c=l)  or  all  of 
them  simultaneously  (c=m).  That  is,  neither  of  the  definitions  above  has  flexibility  to  contain  the 
intermediary  access  structures  corresponding  to  values  of  l<c<m  .  With  this  motivation,  we  consider  the 
following  generalization  of  the  access  structures  (1)  and  (2). 

Definition  1+  Let  IA  —  be  the  set  of  participants  with  m  disjoint  levels, 

i.e.j  lAi  H Uj  =  0,  for  i  j.  Let  { ^  be  a  sequence  of  integers  with  0  <  ki  < 

■  ■  ■  <  fcm.  Then  the  corresponding  (e,  m)  hierarchical  access  structure  is 

r  =  {VcW:  |vn  (u5=1Wj  )|  >  fc*.  for  at  least  c  indices  i  E  {L  . .  . ,  m}  }  (3) 


In  Tassa's  seminal  work  [4],  the  generalization  (3)  is  indeed  mentioned  and  a  question  asking  whether  it  is 
an  ideal  access  structure  or  not,  is  raised.  To  the  best  of  our  knowledge,  no  known  SSS  applies  for  the  case 
of  (c,m)  hierarchical  access  structures  for  l<c<m.  Though  we  do  not  attempt  to  solve  the  open  problem 
stated  by  Tassa,  we  give  a  non-ideal  scheme  realizing  (3)  and  discuss  the  difficulty  of  establishing  an  ideal 
scheme  for  the  realization  of  [4]  in  the  section  4.2.  It  follows  from  the  definition  that  a  (c,m)  hierarchical 
access  structure  is  also  a  (c',m)  hierarchical  access  structure  for  c'<c.  Let  us  give  a  toy  illustration  of  (3). 

Example  2.  Consider  a  scenario  where  a  secret  is  to  be  shared  among  participants  from  levels  Lb  ,  U2  and 
U3  which  are  formed  by  admirals,  brigadiers  and  colonels  respectively.  Let  us  represent  each  participant  of 
a  certain  level  by  the  initial  of  the  identifier  of  the  level.  That  is,  for  instance,  the  phrase  aab  stands  for  a 
set  formed  by  two  admirals  and  one  brigadier.  Now  m=3  and  let  ki=l,  k2=2  and  k3=3  for  the  sake  of 
simplicity.  The  minimal  authorized  sets  in  the  (c,m)  hierarchical  access  structures,  c={  1,2,3},  according  to 
definition  1  is  as  follows. 


minimal  authorized  sets  in  (c,3) 
hierarchical  access  structure 

c  =  1 

{■ a ,  bb,  ccc ,  bcc} 

c  =  2 

{aa,  ah ,  ace ,  bbb ,  65c} 

c  =  3 

{aaat  aab ,  abb ,  abc} 

Here,  the  term  minimal  authorized  set ,  sometimes  being  called  minterm ,  refers  to  a  qualified  set  such  that 
no  participant  within  the  set  is  redundant  for  the  reconstruction  of  the  secret.  It  is  exemplified  that  all 
minimal  subsets  of  (1)  are  of  the  same  size  while  this  is  not  true  for  (2)  and  (3).  The  ki  values  suggest  that 
basically  all  the  sets  1  admiral,  2  brigadiers  and  3  colonels  are  of  equal  trust.  Regarding  involvement  of 
each  of  the  sets  a ,  bb  and  ccc  (while  keeping  in  mind  the  fact  that  the  lower  level  participants  can  always 
be  replaced  by  upper  level  ones)  as  a  condition  to  be  imposed  on  an  access  structure,  it  is  perfectly  natural 
in  real  life  to  require  any  two  of  these  conditions  to  be  present  as  well  as  demanding  either  one  of  the 
conditions  or  all  three  of  them  simultaneously. 

One  can  mimic  the  realization  of  the  (2,3)  hierarchical  access  structure  of  example  2  with  a  naive 
employment  of  Shamir's  weighted  threshold  secret  sharing  [1],  by  say  assigning  3  shares  to  each  admiral, 
2  shares  to  each  brigadier  and  1  share  to  each  colonel  and  establishing  a  (5,n)  SSS  among  the  n 
participants  via  the  well-known  Lagrange  interpolation.  In  this  case,  all  the  required  the  minimal 
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authorized  sets  {aa,ab,acc,bbb,bbc}  are  eligible  to  reconstruct  the  secret.  However,  the  access  structure  of 
such  a  scheme  would  embody  a  set  of  participants  such  as  ccccc  which  is  not  the  case  for  (2,3) 
hierarchical  access  structure  arousing  from  definition  1.  Nevertheless,  we  can  tailor  a  scheme  for  this 
particular  case  again  via  the  well-known  tools  such  as  Lagrange  interpolation  and  access  structure  product, 
but  this  time,  with  a  different  distribution  of  shares.  The  scheme  can  be  described  as  follows. 

Scheme  2.  To  realize  (3),  assign  one  secret  for  each  level  and  apply  a  scheme  of  Shamir's  in  a  setting  that 
each  participant  belonging  to  that  level  and  the  participants  in  the  upper  levels  are  given  shares.  That  is, 
the  dealer  first  applies  a  (c,m)  Shamir's  scheme  on  the  secret  to  obtain  m  private  partial  shares,  say  Si, 
...,sm,  so  that  any  c  of  these  values  are  sufficient  to  find  the  secret.  Then  he  applies  a  separate  Shamir's 
scheme  on  each  si5  1  <  i  <  m,  so  that  in  each  instance  of  such  schemes,  the  shares  are  this  time  distributed 
to  not  only  the  members  of  the  compartment  Uj  but  also  to  the  members  of  all  compartments  Uj  ,...,  Ui_i 
accomplishing  the  desired  property  that  members  of  the  upper  level  compartments  can  always  replace 
participants  of  the  lower  ones.  Here,  each  Shamir's  scheme  on  the  partial  secret  Si  will  be  arranged  in  a 
setting  that  Si  can  be  reconstructed  only  with  the  presence  of  any  ki-ki_i  shares  (assuming  k0=0  for  Si).  This 

i 

allows  that  the  partial  share  Si  can  be  computed  if  and  only  if  ki  members  from  |^J  U j  are  present.  Hence 

j= i 

for  a  set  of  participants,  reconstruction  of  each  Si  ensures  one  threshold  condition  in  T  of  definition  1. 
Since  we  require  any  c  of  such  threshold  conditions  among  m,  the  purpose  of  applying  first  a  (c,m) 
scheme  on  the  secret  follows. 

4.2  Efficiency  Issues,  Perfectness  and  Discussions 

In  scheme  1,  each  participant  from  Ui  is  given  m  shares;  each  participant  from  U2  is  given  m-1  shares  and 
so  on.  Eventually,  a  participant  from  the  lowest  level  Um  is  given  only  1  share.  In  the  order  of  operations 
performed  for  the  reconstruction  of  the  secret,  there  are  m  Lagrange  interpolations  each  of  which  is  to 
recover  one  of  the  partial  secrets  Si,...,sm,  and  there  is  one  final  occurrence  of  a  (c,m)  Shamir's  scheme 
summing  up  to  m+1  instances  of  Lagrange  interpolations.  Again,  all  these  schemes  can  be  combined  by 
lemma  1 .  Since  Lagrange  interpolations  are  used  as  basic  building  blocks,  the  above  scheme  is  perfect  by 
lemma  2  and  hence  enjoys  the  property  of  reconstructability  of  the  secret  by  an  authorized  set  with 
probability  1. 

An  observation  on  the  difficulty  of  establishing  an  ideal  and  efficient  LSSS  for  the  realization  of  [4]  is  as 
follows.  In  [9],  it  is  proven  that  a  multipartite  access  structure  involving  a  hierarchy  among  participants  is 
ideal  if  and  only  if  the  access  structure  admits  a  vector  space  secret  sharing  scheme.  So  if  there  exists  an 
ideal  and  efficient  scheme  realizing  (3),  it  must  be  in  the  form  of  a  vector  space  scheme,  that  is  an  ideal 
linear  scheme  constructed  according  to  the  method  proposed  by  Brickell.  In  such  a  scheme,  we  are 
allowed  to  assign  one  and  only  one  public  vector  to  each  participant  including  the  target  vector  of  the 
dealer,  so  that  the  shares  are  computed  by  dot  products  of  these  vectors  with  a  random  (secret)  vector. 
Within  such  a  setting,  the  purpose  is  to  design  a  scheme  which  both  allows  higher-leveled  participants  to 
replace  their  inferiors  and  assures  the  satisfaction  of  any  c  of  the  m  conditions  defined  on  levels.  Such  a 
design  may  not  be  easy  especially  when  one  considers  the  varying  size  of  minimal  authorized  subsets, 
which  makes  things  a  little  more  complicated.  We  would  like  to  remind  the  reader  that  finding  an  efficient, 
ideal  and  linear  solution  for  the  disjunctive  case  of  Simmons  has  remained  a  long  standing  open  problem 
and  its  realization  became  possible  in  [4],  only  when  some  duality  techniques  were  employed  to  the 
efficient  and  perfect  vector  space  construction  of  its  conjunctive  counterpart,  which  has  fixed  length 
minimal  authorized  subsets.  However,  this  approach  does  not  seem  to  apply  to  (3),  as  the  dual  of  a  (c,m) 
hierarchical  access  structure  of  the  form  (3)  is  a  (m+l-c,m)  hierarchical  access  structure,  again  having 
variable-length  minimal  authorized  subsets  for  l<c<m.  Indeed,  regarding  compartmented  and  hierarchical 
(c,m)  access  structures,  our  intuition  is  that  the  schemes  that  we  realize  herein  have  already  attained  best 
possible  information  rates.  However,  this  statement  is  no  further  realistic  than  a  conjecture  without  a 
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proof.  In  [8],  it  is  also  shown  that  a  hierarchical  access  structure  admitting  a  scheme  in  which  the  length  of 
every  share  is  less  than  3/2  times  the  length  of  the  secret,  is  ideal,  that  is,  it  admits  an  ideal  scheme  as  well. 
However,  this  condition  is  not  satisfied  by  the  scheme  we  provide.  So  we  are  unable  to  apply  the 
mentioned  result  of  [8]  for  the  (c,m)  hierarchical  case. 

A  final  remark  on  efficiency  is  that,  in  scheme  1,  the  number  shares  of  a  user  is  at  most  m,  yielding  to  an 
information  rate  such  as  1/m.  However,  we  would  like  to  note  that,  information  rate  is  not  he  only  notion 
of  efficiency.  Indeed,  another  similar  complexity  measure  of  secret  sharing  schemes  is  their  share  size, 
that  is,  the  total  length  of  all  shares  distributed  by  the  dealer.  Scheme  1  performs  slightly  better  in  the  latter 
case  than  it  does  in  the  case  of  information  rate.  The  reason  is  that,  as  there  are  typically  more  participants 
in  the  lower  levels  compared  to  that  of  higher  ones,  the  average  number  of  shares  per  user  is  usually  lower 
than  a  worst  case  of  (m+l)/2.  The  scheme  we  provide  is  obviously  not  be  the  best  choice  for  the  cases  c=l 
or  c=m.  However,  to  the  best  of  our  knowledge,  it  is  the  only  scheme  that  realizes  the  intermediary  access 
structures  in  between  two  former  definitions  involving  a  hierarchy,  it  is  perfect  and  is  efficient  enough  for 
scenarios  with  small  parameters. 

4.3  Fixing  First  k  Levels 

Observe  that  for  the  case  c=2  of  example  2,  it  is  possible  for  a  group  of  brigadiers  and  colonels  to 
reconstruct  the  secret  without  the  presence  of  any  admiral.  However,  the  dealer  may  desire  the  existence 
of  at  least  one  admiral  in  an  authorized  set,  that  is,  while  the  members  of  the  set  {aa,ab,acc}  remains 
authorized,  bbb  and  bbc  will  be  identified  as  non-authorized.  To  restate  this  in  a  more  general  sense,  the 
top  k  compartments  may  be  distinguished  by  the  necessity  of  satisfaction  of  all  the  conditions  defined 
upon  them,  whereas  this  is  not  the  case  for  the  remaining  lower  compartments.  That  is,  one  may  fix  the 
first  k  compartments  and  obtain  the  following  generalization  under  the  same  setting  of  definition  1 . 

r  =  {  V  C  U  :  |  Vn{Uj-_1WJ-)|  >  ki  Vi  £  {1 - ,  k}  and  for  at  Least  c  indices  i  £  {k  +  1, . . . ,  m}  } 

Here,  k  is  the  threshold  value  assuring  that  the  conjunction  of  k  conditions  on  the  first  k  levels  hold  in  an 
authorized  set.  Among  the  remaining  m-k  conditions  left  out,  any  c  of  them  are  considered  to  be  enough. 
T’  trivially  becomes  equivalent  to  T  of  definition  1  when  k=0.  A  realization  of  T’  is  as  follows. 

Scheme  3.  We  combine  Tassa's  conjunctive  scheme  involving  Birkhoff  interpolation  and  scheme  2  in  a 
way  handling  T'.The  dealer  first  applies  Tassa's  conjunctive  scheme  to  participants  of  first  k  levels  Ui5 
1  < i < k.  So  far,  members  of  levels  Ui,...,Uk  are  given  one  share  apiece.  On  the  other  hand,  the  dealer 
applies  scheme  2  to  members  of  the  remaining  levels  Uk+i,...,Um,  so  that  a  participant  from  level  Uk+i  is 
given  m-k  shares,  a  participant  from  level  Uk+2  is  given  m-k-1  shares  and  finally,  each  participant  from 
level  Um  is  given  only  1  share.  For  now,  we  have  only  partitioned  the  levels  to  two  sets  with  indexes 
1,. .  .,k  and  k+1,. .  .,m  applying  Tassa’s  conjunctive  scheme  and  scheme  2  to  each  set  respectively.  The  only 
missing  part  for  the  realization  of  T’  is  the  allowance  of  members  of  Ui,...,Uk  to  substitute  lover-leveled 
participants  belonging  to  Uk+i,. .  .,Um.  To  allow  this,  we  give  a  set  of  m-k  additional  shares  to  each  member 
of  levels  Ui,...,Uk.  Such  m-k  shares  are  identical  to  the  set  of  shares  given  to  members  of  Uk+i?  so  that 
members  of  Ui,...,Uk  can  always  replace  members  of  Uk+i,...,Um?  which  completes  the  scheme.  The 
highest  number  of  shares  distributed  belongs  to  members  of  levels  Ui,...,Uk,  where  each  participant  is 
given  m-k+1  shares. 

Tassa's  conjunctive  scheme  [4]  is  proven  to  be  perfect  for  a  sufficiently  large  field  via  a  monotone 
allocation  of  participant  identities.  So,  with  a  perfect  employment  of  Tassa's  scheme  and  a  series  Shamir's 
schemes  in  the  basis  of  scheme  2,  perfectness  follows  from  lemma  2.  As  an  underlying  scheme  for  first  k 
levels,  one  can  of  course  choose  any  other  scheme  realizing  (1),  say  the  one  given  in  [5],  instead  of  the  one 
employing  Birkhoff  interpolation  [4].  But  if  the  chosen  scheme  is  not  perfect  with  certainity,  scheme  2 
will  not  reach  perfectness  with  certainity  either.  Except  that,  the  selection  will  not  affect  scheme  2. 
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It  is  described  in  [4]  that  the  realization  of  the  disjunctive  access  structure  (2)  can  be  achieved  with  the 
help  of  the  conjunctive  scheme  realizing  (1),  and  some  duality  techniques.  On  the  other  hand,  scheme  2  is 
designed  for  the  cases  l<c<m  as  it  combines  Tassa's  conjunctive  scheme  for  (1)  and  scheme  1.  A 
particular  case  is  as  follows.  When  c=l  in  T\  one  may  alternatively  combine  both  Tassa's  conjunctive 
and  disjunctive  schemes  and  apply  to  compartments  Ui,...,Uk  and  Uk+i,...,Um  respectively  to  obtain  a 
better  information  rate  such  as  1/2. 


5.0  CONCLUSION 

Our  contribution.  In  the  first  part  of  this  study,  we  consider  an  ideal  and  linear  secret  sharing  scheme  for 
the  understanding  of  hierarchical  threshold  access  structures  and  give  some  experimental  analysis  on  the 
reconstructibility  of  the  secret.  In  the  second  part  of  this  work,  we  consider  a  generalization  of  the 
hierarchical  access  structure  of  Simmons'  and  the  hierarchical  threshold  access  structure  of  Tassa's.  For 
this  case,  the  linear  scheme  that  we  consider  is  not  ideal  but  has  a  high  information  rate  so  that  number  of 
shares  of  a  user  is  at  most  m  and  m/2  on  average. 

Future  work.  One  may  attempt  to  prove  or  hopefully  disprove  the  conjecture  that  we  discussed  in  section 
4.2,  regarding  the  nonexistence  of  an  ideal,  linear  and  efficient  scheme  for  (3),  perhaps  with  the 
involvement  of  the  techniques  similar  to  the  ones  in  [9],  which  is  out  of  the  scope  of  this  work.  A 
constructive  attempt  for  (3)  might  be  designing  a  scheme  with  a  better  information  rate,  if  there  is  any. 
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